Defense Contractor Fined for Cyber Failures

A Massachusetts defense contractor agreed to pay $4.6 million to settle allegations it violated the False Claims Act (FCA) by failing to meet cybersecurity requirements tied to Department of Defense (DoD) contracts. The MORSECORP case (PDF) represents far more than an isolated compliance failure. It signals a rapidly expanding enforcement trend every company in the defense industrial base (DIB) needs to understand.

The Department of Justice (DOJ) increasingly treats cybersecurity compliance failures as potential fraud against the government when contractors knowingly misrepresent their security posture while continuing to receive federal funds. For military suppliers, cybersecurity is no longer simply an information technology (IT) issue or operational concern. It's now a contractual, legal, financial, and executive governance issue.

What Happened at MORSECORP

Between January 2018 and February 2023, MORSECORP submitted payment claims to the Department of Defense while allegedly failing to implement required cybersecurity controls under Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 requirements.

The most significant issue involved the company's self-reported NIST SP 800-171 score. MORSECORP reportedly submitted a score of 104 into the Department of Defense Supplier Performance Risk System (SPRS) in January 2021. However, a third-party cybersecurity consultant later determined the company's actual score was negative 142, indicating severe control deficiencies.

According to the settlement allegations, roughly 78% of required controls were either partially implemented or entirely missing. Despite learning about these deficiencies, MORSECORP allegedly delayed updating its SPRS score for nearly a year.

The company also allegedly:

• Used third-party email services that didn't meet Federal Risk and Authorization Management Program (FedRAMP) Moderate requirements
• Operated without adequate system security plans (SSPs)
• Failed to properly implement required NIST SP 800-171 controls
• Continued accepting federal contract payments while deficiencies remained unresolved

The result was a $4.6 million settlement, including substantial restitution and a significant whistleblower payout.

Cybersecurity Failures Becoming False Claims Act Cases

The MORSECORP matter is part of a broader DOJ strategy under the Civil Cyber-Fraud Initiative launched in 2021.

This initiative targets companies that knowingly:

• Misrepresent cybersecurity practices
• Submit inaccurate compliance attestations
• Fail to meet contractual cybersecurity obligations
• Conceal known security deficiencies
• Continue billing the government while materially noncompliant

Several notable cybersecurity-related FCA enforcement actions have emerged in recent years:

• Aerojet Rocketdyne faced allegations involving false cybersecurity certifications tied to military and National Aeronautics and Space Administration (NASA) contracts.
• Verizon Business Network Services agreed to resolve allegations tied to failures involving federal network security requirements.
• Comprehensive Health Services settled claims involving inadequate protection of sensitive military personnel and medical data.
• Cisco Systems previously resolved allegations involving the sale of products with known security vulnerabilities to government customers.

These cases demonstrate a fundamental shift in federal enforcement priorities. Cybersecurity deficiencies are no longer viewed solely as technical problems. Inaccurate cybersecurity representations can now create significant fraud exposure under the False Claims Act.

How Good Companies End Up in Trouble

Most False Claims Act cybersecurity cases don't start with executives intentionally trying to commit fraud. They usually start with shortcuts, assumptions, and pressure to keep contracts moving.

A contractor may inherit outdated systems after an acquisition and delay remediation because production deadlines take priority. Another company may rely on self-assessment scores that were never independently validated. Leadership teams sometimes assume partial implementation is "close enough" and continue certifying compliance while major gaps remain unresolved.

In other cases, suppliers centralize operations across multiple acquired companies without realizing weak onboarding, identity management, or vendor oversight processes are now spreading risk across the entire business.

What begins as operational convenience can quickly evolve into contractual risk if a contractor continues accepting federal funds while cybersecurity representations no longer match reality.

Many companies don't realize they have a serious problem until:

• A whistleblower reports internal concerns
• An outside consultant performs a real assessment
• A prime contractor requests supporting evidence
• A cyber incident exposes long-ignored weaknesses
• A CMMC assessment uncovers missing controls

By that point, legal exposure, reputational damage, and contract risk may already be growing.

Cybersecurity Board-Level Business Risk

Many defense contractors still approach cybersecurity primarily as an information technology issue or compliance checkbox. However, DOJ enforcement actions increasingly show cybersecurity governance failures can create enterprise-level business risk involving:

• False Claims Act liability
• Whistleblower lawsuits
• Suspension and debarment risk
• Loss of federal contracts
• Mergers and acquisitions due diligence failures
• Reputational damage
• Operational disruption following breaches or investigations

The biggest cybersecurity risk for many defense contractors is inaccurate compliance representations.

This risk becomes especially significant for companies rapidly acquiring businesses, consolidating operations, or integrating multiple business units under centralized governance structures.

Weak identity management, inconsistent onboarding processes, inherited technical debt, poor vendor oversight, and inaccurate compliance tracking can quickly create systemic cybersecurity risk across an entire enterprise.

Acquisitions Can Multiply Cybersecurity Risk

Rapid acquisition strategies create unique cybersecurity challenges throughout the defense industrial base.

When companies acquire multiple contractors and quickly centralize operations, weak governance decisions can spread across every business unit. Identity management shortcuts, inconsistent personnel screening, inherited technical debt, and incomplete documentation often become enterprise-wide problems.

Many leadership teams underestimate how difficult it is to integrate multiple environments handling controlled unclassified information (CUI) while maintaining accurate NIST SP 800-171 compliance across all systems.

As mergers and acquisitions continue throughout the DIB, cybersecurity due diligence is becoming increasingly important during both acquisition and integration phases.

Understanding NIST SP 800-171, DFARS Obligations

NIST SP 800-171 establishes required security controls for protecting CUI within non-federal systems and companies.

Defense contractors handling CUI are expected to implement 110 security requirements covering areas including:

• Access control
• Incident response
• Audit logging
• Personnel security
• Configuration management
• Media protection
• Risk assessment
• System and communications protection

DFARS clauses and associated SPRS reporting obligations require contractors to accurately assess and report implementation status. These self-assessments aren't simply administrative paperwork. They're representations tied directly to federal contracting eligibility and payment.

Difference Between Deficiencies and Deception

Most defense contractors are still maturing their cybersecurity programs. Many companies continue working through implementation challenges tied to NIST SP 800-171, DFARS requirements, and upcoming CMMC requirements.

Federal enforcement actions generally focus less on the existence of deficiencies themselves and more on:

• Knowingly inaccurate compliance representations
• Failure to disclose major deficiencies
• Fabricated documentation
• Concealment after internal discovery of serious gaps
• Continued misrepresentation after receiving professional assessments

A supplier may honestly believe they're compliant because a spreadsheet says controls are in place. Then an outside assessor discovers multi-factor authentication (MFA) wasn't fully enforced, logging wasn't retained properly, vendors weren't reviewed, and system security plans are outdated. What leadership viewed as an IT cleanup project can suddenly become a contractual and legal problem.

Companies that conduct honest assessments, maintain accurate documentation, develop remediation plans, and report deficiencies transparently are in a much stronger position than contractors attempting to hide problems or inflate compliance status.

Whistleblower Risk Growing

The False Claims Act includes provisions allowing private individuals to file lawsuits on behalf of the federal government.

Employees, consultants, information technology personnel, subcontractors, former staff, and industry insiders who become aware of significant cybersecurity misrepresentations may receive a percentage of recovered funds if the government intervenes successfully.

In the MORSECORP matter, the whistleblower reportedly received $851,000 as part of the settlement.

Companies that ignore internal warnings, suppress security concerns, or pressure employees to minimize deficiencies significantly increase both legal and reputational risk.

How CMMC Changes Enforcement Landscape

The CMMC program directly addresses many of the issues highlighted in recent enforcement actions.

Unlike prior self-attestation models, CMMC certification introduces independent third-party assessments designed to validate contractors have actually implemented required security controls.

Assessors evaluate:

• Technical implementations
• Policy documentation
• System configurations
• Operational processes
• Security evidence and artifacts
• Personnel understanding of procedures

As CMMC implementation expands throughout the defense industrial base, contractors should expect significantly increased scrutiny of cybersecurity claims and contractual representations.

What Defense Contractors Should Do Immediately

• Validate SPRS scores and assessment accuracy
• Conduct independent cybersecurity gap assessments
• Review system security plans and plans of action and milestones (POA&Ms) for completeness
• Verify cloud providers and third parties meet contractual obligations
• Document remediation activities and accepted risks
• Ensure executive leadership understands cybersecurity contractual obligations
• Establish governance processes for acquisitions and subsidiaries
• Develop repeatable compliance validation procedures

Beyond Compliance to Real Security

While recent enforcement actions focus heavily on compliance failures, the underlying issue remains national security risk.

Defense contractors manage information actively targeted by:

• Foreign intelligence services
• Cybercriminal organizations
• Nation-state threat actors
• Supply chain attackers

Weak cybersecurity within the defense industrial base creates exploitable pathways into sensitive defense programs, technologies, operational plans, and research environments.

Contractors should treat compliance as the starting point rather than the final objective. Effective cybersecurity requires continuous improvement, operational discipline, governance oversight, and honest assessment of risk.

Cost of Waiting

The financial cost of cybersecurity noncompliance extends far beyond settlement amounts.

Companies facing enforcement actions often experience:

• Legal expenses
• Forensic investigation costs
• Operational disruption
• Reputational damage
• Customer distrust
• Contract loss
• Increased cyber insurance scrutiny
• Acquisition and valuation complications

For defense contractors, the inability to demonstrate credible cybersecurity governance may eventually become a direct barrier to competing for future federal work.

Taking Action Before Enforcement

Defense contractors can't afford to wait for subpoenas, whistleblower complaints, failed assessments, or security incidents before addressing cybersecurity deficiencies.

Companies should begin with honest assessments of their current security posture, accurate documentation of deficiencies, and realistic remediation planning aligned to contractual requirements.

Contractors that proactively identify and address deficiencies place themselves in a significantly stronger position than companies attempting to minimize or conceal security weaknesses.

Cybersecurity within the defense industrial base is no longer simply a technical challenge. It's now a core component of contractual performance, enterprise governance, and national security responsibility.